The Future Of Risk Management

2. Ecosystem Risk. Ecosystem risks are external risks that the organization has partial control over, including third-party relationships, supply chain dynamics, and partnerships. They can stem from suppliers, distributors, technology partners, and other interconnected business relationships. Examples of these risks could include supply chain vulnerabilities, operational disruptions of partners, or technology partner risks. While the organization is fully responsible for these risks, it typically has limited ability to manage them.

The success of a risk management program depends on its leadership and the level of visibility it has at the top of an organization. Having a clear and empowered leader responsible for risk management can have a direct impact on your organization’s risk exposure. According to Forrester data, enterprises where ERM is not a board-level topic were 20 percentage points more likely to report experiencing six or more critical risk events in the past 12 months than the overall group of respondents. In other words, not making risk management a top priority in your organization opens your organization up to more risk.

According to Forrester data, enterprises where ERM is not a board-level topic were 20 percentage points more likely to report experiencing six or more critical risk events in the past 12 months than the overall group of respondents.

The most direct way to ensure that risk management is a C-suite topic is by creating a C-level role to oversee it. In 2023, 62% of ERM decision-makers polled by Forrester said their organization had a chief risk officer (CRO). By 2025, it was 67%, indicating that more organizations are centralizing their risk management under a C-level role.

But having a CRO is only useful if they have support and alignment with the other leaders at the top of the organization. How common is that? For one-third of organizations, the CRO reports directly to the CEO, a clear indication that the organization prioritizes risk. In other organizations the CRO may report to the CFO, CIO, or COO.

In addition to chief risk officer, the other C-level role that has gained traction is chief information security officer. As cyberattacks have become more common and more complex in recent years, it’s become much more common for organizations to have a CISO that can focus on cybersecurity and cyberattacks specifically. In fact, many more organizations have a CISO in place than a CRO, and many CISOs have a direct reporting line to the top of the org chart. According to Forrester data, 86% of ERM decision-makers said their organization has a CISO and that they most often report to the CIO (37%) or CEO (32%), and in 5% of organizations, the CRO actually reports to the CISO.

In today’s volatile business world, the characteristics of risk are changing. Today, risk is dynamic, shared, and continuous, making ongoing risk management more challenging. Your risk management strategy has to adapt to these changing trends. Effective risk management requires a more structured approach, to anticipate pressures across these dimensions, and clear accountability, since risk ownership lies with decision-makers (not risk managers) who maintain processes and support first-line owners.

As risks and opportunities evolve throughout projects and operations, organizations need a continuous process to assess context, adapt decisions, and monitor outcomes — because a single point-in-time assessment cannot capture reality. In today’s environment, it isn’t about avoiding all threats — it’s about deciding which risks are worth taking to achieve your objectives.

The Forrester Continuous Risk Management Model provides a good enterprise risk framework example to help formalize your program, integrate key stakeholders from the C-suite into operations, and connect risk activities directly to business value.

• Bridge the gap between risk strategy and business performance. The model connects high-level strategy with operational realities, giving leadership — including the board, CRO, and CISO — the insights to meet objectives and align with changing priorities.
• Create consistent risk management across all domains. As a domain-agnostic risk framework, it can be applied to standardize workflows for managing enterprise, ecosystem, and external risks, providing a common process and taxonomy.
• Anchor risk management to the pursuit of value. Go beyond mitigating threats. The model helps you evaluate trade-offs and support decisions that accelerate growth, innovation, and resilience.
• Enable strategic agility with clear on- and off-ramps. The model accounts for ongoing feedback and changing conditions, creating clear decision points to pivot, pause, or proceed with investments and initiatives.